Rootkit result (hopefully posted correctly)

[Dakeyras]

Hi.

So this is not malware?

That will be addressed/researched further in due course.

will this thread be deleted once we are finished? I feel vulnerable with all this information about my pc online.

It will eventually be moved to the Archives area of the forum and there is no personal information denoted in any logs so far and or the future that are a cause for concern.

As for the proxy i never made one how do i get rid of it?

Acknowledged, the below custom OTL script will take care of that.

Im having trouble finding the exe file for microsoft fix it i did restart my pc

I take it you did download it and then run it etc ?

You attached a copy of the log created by awsMBR not the actual requested MBR.dat. So please check your desktop for a file named:- MBR.dat

If you cannot locate it not to worry and merely inform myself in your next reply please.

Custom OTL Script:

• Right-click OTL.exe and select Run as Administrator to start the program.
• Copy the lines from the quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Commands
[CreateRestorePoint]

:OTL
IE - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:8080
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
O3 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3363456023-2054032563-2103478203-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O33 - MountPoints2\{a034fbb6-1b71-11e3-84fb-902b34d84bf0}\Shell\AutoRun\command - "" = I:\setup.exe
[2014/03/27 03:42:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registrar Registry Manager
[2014/03/27 03:42:07 | 000,000,000 | ---D | C] -- C:\Program Files\Registrar Registry Manager
[2014/03/06 22:35:27 | 000,000,000 | ---D | C] -- C:\Users\admin\Documents\SmartPack
[2014/03/06 22:35:22 | 000,000,000 | ---D | C] -- C:\Windows\SmartPack
[2014/03/27 03:42:07 | 000,000,902 | ---- | M] () -- C:\Users\admin\Desktop\Registrar Registry Manager.lnk
[2014/03/24 22:48:18 | 000,214,392 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2014/03/22 22:51:50 | 003,894,632 | ---- | C] () -- C:\Windows\SysWow64\pbsvc.exe

:Files
ipconfig /flushdns /c
netsh advfirewall reset /c
netsh advfirewall set allprofiles state off /c

:Reg
[HKEY_USERS\S-1-5-21-3363456023-2054032563-2103478203-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"=-
[HKEY_USERS\S-1-5-21-3363456023-2054032563-2103478203-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=-

:Commands
[EmptyTemp]

• Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
• Then click the red Run Fix button.
• Let the program run unhindered.
• If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The log file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Scan with RogueKiller:

Please download RogueKiller to your desktop

Alternate downloads are here or here.

• Quit all running programs.
• Right-click on RogueKiller.exe and select Run as Administrator to start the application.
• Let the pre-scan complete, then click on Accept option when the disclaimer window appears.

Note: If a browser window is launched/opened, merely close it.

• Now click on the Scan tab back in the RogueKiller main window.
• The RKreport.txt shall be generated next to the executable along with a zip file named RK_Quarantine.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.com
• Please post the contents of the RKreport.txt in your next reply.

Next:

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any further symptoms and or problems encountered ?
• Were you able to locate the MBR.dat file on the desktop ? Plus the answer to my MS Fixit query.
• OTL Log from the Custom Script.
• RogueKiller Log.

[PeterArk07]

Hi again

I apologize for the late reply, the computer seems to be running fine. I re-downloaded Microsoft fix it and ran the program i closed the program down when it asked for a restart because
at this time im writing this response but i remember reading something along the lines of "its been processed" i assumed i had to install it then run it again but it seems its done whatever
it does. I could not find the mbr.dat file if i may have deleted it accidentally i apologize.

OTL-SCAN.txt OTL custom scan

RKreport[0]_S_04012014_212627.txt rogue killer scan

[Dakeyras]

Hi.

I apologize for the late reply

Not a problem.

the computer seems to be running fine

Good.

I could not find the mbr.dat file if i may have deleted it accidentally i apologize.

Fair play.

Re-scan with aswMBR:

Delete both aswMBR.exe and aswMBR.txt if still present, then empty the Recycle Bin.

Please re-download aswMBR.exe to your desktop.

• Right-click on aswMBR.exe and select Run as Administrator to launch the application.
• When prompted with The application can use the Avast! Free Antivirus for scanning >> select Yes
• The Avast! virus definitions database will automatically be downloaded. Be patient this make take some time depending on the speed of your Internet Connection.
• Once it has downloaded >> ensure the option next to AV scan: >> QwickScan is selected only. It should be by default.
• Now click on the Scan button to start the scan.
• On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
• Click on Exit

Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).

Next:

Look for \MBR.dat on your desktop:-

C:\Users\admin\Desktop\MBR.dat <-- Right-click on the file and select Send To > >> Compressed (zipped) folder

Post the zip file created as a attachment in your next reply please along with the new aswMBR log.

[Dakeyras]

Due to the lack of feedback this Topic is closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh set of DDS logs and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.